Reding seeks overhaul of data-protection rules

Viviane Reding, the European commissioner for justice, fundamental rights and citizenship, will in January propose a sweeping overhaul of the EU’s rules on data protection in a push for a truly integrated single market for online services. This, Reding believes, is critical for Europe’s growth and competitiveness. “To create growth, we have to encourage trust in emerging technologies, so that citizens feel comfortable using them,” Reding told online entrepreneurs at a conference in Paris.

Reding said that the fragmentation of data-protection rules across the EU created additional costs to companies of €2.3 billion a year. In response, she wants to replace the EU’s data-protection directive of 1995, which had to be transposed into domestic law by each member state, with a regulation, which is applied directly.

Reding’s draft legislation is scheduled for adoption by the college of European commissioners on 25 January, and is currently being finalised by the Commission’s services. Subsequent negotiations with member states and MEPs are expected to take two to three years.

The rules will apply to all companies and public bodies, but the most immediate impact will be on online businesses. This includes companies from outside the EU that have users in the member states. “With these proposals, the EU is becoming the de facto world regulator on data protection,” said an EU official. Reding expressed her hope that the changes would be “an inspiration” for the US and other countries.

The changes to the current regime are designed to stimulate growth and competitiveness by doing away with fragmented rules across the member states. They would allow online sellers of services and goods to follow one set of data-protection rules – those of the member state in which they are based – for all their operations across the EU, without fear of being found to be in breach of law in another member state.

Industry support

The proposed changes have been broadly welcomed by business groups. Despite concerns about some of the specifics, they are in favour of greater harmonisation and improved legal certainty, and the reduction in administrative burden that this would bring. But social network sites such as Facebook worry about giving users greater control over their data, another thrust of Reding’s proposal, because it would complicate advertising. Her draft includes a “right to be forgotten” by such services.

Reding will propose fines of up to 5% of a company’s annual worldwide turnover for serious breaches. Data-protection authorities in member states will be given greater powers to impose fines.

Joe McNamee of European Digital Rights, an advocacy group, said that there was “a desperate need for stronger enforcement in the member states”.

“At the moment, we have a patchwork of national data-protection authorities that are better or worse equipped, with greater or lesser power of enforcement,” he said. “Consistent, effective enforcement across the 27 member states is badly needed and the powers and resourcing of the national data-protection authorities is core to achieving that.”